Using Distribution Groups in SharePoint for securing SharePoint securables is not possible.

01/08/2012 Leave a comment

Using Distribution Groups in SharePoint for securing SharePoint securables is not supported. So if you checked fallowing article on SharePoint side,

http://technet.microsoft.com/en-us/library/cc261972.aspx

“In Active Directory Domain Services (ADDS), the following groups are commonly used to organize users:

  • Distribution group A group that is used only for  e-mail distribution and that is not security-enabled. Distribution groups cannot be listed in discretionary access control lists (DACLs), which are used to define permissions on resources and objects.
  • Security group A group that can be listed in DACLs. A security      group can also be used as an e-mail entity.

You can use security groups to control permissions for your site by adding security groups to SharePoint groups and granting permissions to the SharePoint groups. You cannot add distribution groups to SharePoint groups, but you can expand a distribution group and add the individual members to a SharePoint group. If you use this method, you must manually keep the SharePoint group synchronized with the distribution group. If you use security groups, you do not need to manage the individual users in the SharePoint application. Because you included the security group instead of the individual members of the group, ADDS manages the users for you.”

You can not use any Distribution Group for providing  permission on SharePoint securables. Because distribution groups cannot be listed in discretionary access control lists (DACLs), which are used to define permissions on resources and objects.SharePoint is using this ACL objects to make security operations. There is no way or workaround for using Distribution Groups in SharePoint for securing SharePoint objects.

So we have some other options.

1)      As mentioned in above article :  you can expand a distribution group and add the individual members to a SharePoint group and using this SharePoint groups for securing objects.

2)      Changing Distribution Groups as Security Group in AD and use it in SharePoint. (I am suggesting this step because AD Groups will provide more gain on performance issues)

Advertisement

Filed under Sharepoint 2010 Tagged with , , , , , , , ,

CBA FBA wilt LDAP problem when using connection between SUN LDAP 5.2

23/07/2012 Leave a comment

If you have a problem with between SPS2010 and CBA FBA with LDAP problem when using connection with SUN LDAP 5.2 (our  build 2007.093.1546)
You may getting fallowing error.
System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000)     at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)     at System.DirectoryServices.DirectoryEntry.Bind()     at System.DirectoryServices.DirectoryEntry.get_AdsObject()     at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)     at System.DirectoryServices.DirectorySearcher.FindOne()     at Microsoft.Office.Server.Security.LDAP.FindOneObject(DirectoryEntry searchRoot, String filter, SearchScope scope, String[] propertiesToLoad, ResultPropertyCollection& entryProperties)     at Microsoft.Office.Server.Security.LdapMembershipProvider.GetUserAttributeBySearchProperty(String searchValue, String searchProperty, String returnAttribute)
04/10/2012 17:52:51.57  w3wp.exe (0x2420)                        0x3F18 SharePoint Foundation          Claims Authentication          0000 Unexpected Password check on ‘<USER>‘generated exception: ‘System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).’.
04/10/2012 17:52:51.61  w3wp.exe (0x2420)                        0x3F18 SharePoint Foundation          Claims Authentication          fo1t Monitorable SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).

For fixing the issue you may change your web.config files below and watch out for highlighted attributes and correct them according your envoriment.

1. In the web.config of the different part CA, Web App and STS you have:

<membership>       <providers>
<add name=”LdapConnection” type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”
server=”Your Server IP” port=”389″ useSSL=”false”
useDNAttribute=”false”
userNameAttribute=”uid”
userContainer=”ou=MyCustomOu,o=contoso,dc=contoso,dc=ldap
userObjectClass=”Inetorgperson”
userFilter=”(ObjectClass=Inetorgperson)”
scope=”Subtree”
otherRequiredUserAttributes=”sn,givenname,cn”
connectionUsername=”uid=postman22,ou=MyCustomOu,o=contoso,dc=contoso,dc=ldap
connectionPassword=”blog.bugrapostaci.com” />
</providers>     </membership>

3. After those changes you have been able to logon in the site collection using FBA.

For SUN LDAP 5.2
useDNAttribute should set to false and userNameAttribute must be uid
connectionUsername attribute defines that which user account be used in binding . ( Thats not  prevents to other users logins.They can login sharepoint with their passwords)
important issue here defining the connectionUsername attribute like “uid:postman22” is not enough you may need to add full path like “uid=postman22,ou=MyCustomOu,o=contoso,dc=contoso,dc=ldap

 

Filed under Sharepoint 2010 Tagged with , , , , , , , , , , , ,

how to remove unnecessery handler mappings from Sharepoint 2010 web application for security purpose

27/10/2011 Leave a comment

This article explains how to restrict or remove unnecessary handler mappings for  Microsoft SharePoint Foundation web application in the Integrated Request Pipeline of Internet Information Services (IIS) .

As you know Sharepoint has modifed the pipeline for more information about Why Sharepoint modifing the request pipeline please read this topic :
http://msdn.microsoft.com/en-us/library/ee537834.aspx

For a general web application you can modify pipleline using:

  • Pipeline Changes at the ASP.NET Framework Level: Sharepoint  does not change any thing for this level that mean sharepoint makes no changes to the machine.config file or the global web.config file.
  • Pipeline Changes at the IIS Configuration Level : The modifications on applicationhost.config file.This file is located in the %WinDir%\System32\inetsrv\config\ directory and it contains registrations of the IIS Web sites and application pools on the server, as well as some settings that apply to all Web applications on the Web server. The settings in applicationhost.config are primarily oriented to the parts of the pipeline that are contributed by IIS, whereas the machine.config and the global web.config files contain settings that are primarily oriented to the parts of the integrated request pipeline that are contributed by ASP.NET.
  • Pipeline Changes at the SharePoint Web Application Level: The modifications on web.config files.
  • Pipeline Changes at the Directory Level : The modifications on directory levels still using web.config files.Particular physical or virtual directories in an IIS Web site can also have their own web.config file to add new settings or override inherited settings. The new settings and overrides, of course, apply only to HTTP requests for resources located within the directory and its subdirectories.

Important ! :In this article scope of “Pipeline Changes at the IIS Configuration Level” so get backup your applicationhost.config file before do anything in %WinDir%\System32\inetsrv\config\

Bellowed configuration is for standart sharepoint web application so if you have some custom codes that need extra handler please add needed handlers to list.

For removing handler mappings

1) open your IIS console.
2) select your Sharepoint Web Application
3) Click Handler Mappings.

And Remove unneceserry handler mappings by selecting and clicking remove button on iis console.

 The handlers in  picture below are the needed ones so don’t delete them.

So sharepoint is not use any .net framework 4.0 components and the other iis default isapi extentions.
Always make a test that your site is working correctly. For testing use these starting points:

  • Test Pages
  • Test System Pages
  • Test File Upload
  • Test Search
  • Test Sharepoint Designer Connection
  • Add your custom test items.

see you next articles.

Filed under Sharepoint 2010 Tagged with , , , , ,

Getting error of “Unable to display this Web Part” on WSS2.0/SPS2003 after installing MS11-074

04/10/2011 Leave a comment

September Security Bulletin (MS11-04) is affecting WSS 2.0/SPS2003 ,  After installing security update MS11-074 for Windows SharePoint Services 2.0 / SharePoint Portal Server 2003 (KB 2494007), we are faced with problems with some DataViewWebPart s.
The error message is :
Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator.”

the problem is cause by The Security Update breaks some XSLT ddwrt functions in the Data View Web Part, for example, ddwrt:FormatDate(string szDate, long lcid, long formatFlag) and ddwrt:FilterLink().

For resolving this issue you ;

1) Upgrade to Windows SharePoint Services 3.0 or Office SharePoint Server 2007.
2. Evaluate how widely the Data View Web Part is used and apply the following workaround if there are very few pages affected:
Remove broken ddwrt functions in the Extensible Stylesheet Language Transformation (XSLT) code of the Data View Web Part.
Here is an example when the broken ddwrt function is
ddwrt:FormatDate(string szDate, long lcid, long formatFlag):

Replace code “ddwrt:FormatDate(string(@someDateField), 1033, 5)” with “@someDateField”. By applying this work around, the Data View will render in browser, however, the formatting of the Date field will be changed as following:

Before the security update, the date is in this format: 9/27/2011 6:21 PM
After above work around, the date is in this format: 2011-09-27T18:21:03

Another example, ddwrt:FilterLink(), this function returns an empty string. Just remove the function, the Data View should render the same way as before.

The above concept can be applied to other ddwrt functions with caution. There are possibilities that removing ddwrt functions will impair the function of XSLT so that the data displayed in Data View is not in the desired format. In those situations, please consider option 1 or 3.

3. Rollback the WSS 2.0/SPS 2003 farm to a state prior to installing the above Security Update. A backup of the farm/content databases before the security update is required for this to be successful.

Filed under Sharepoint Tagged with , , , , , , ,

Think twice for installing September Security Bulletin (MS11-074) KB2560890 on Sharepoint 2010

23/09/2011 Leave a comment

We have getting more problem after installing September Security Bulletin (MS11-074) if you not have sp1 .So i decided to write an article for that.

we have two known issue:

Issue #1- Users unable to browse Publishing sites
Actually i didnt face this problem yet but for this in Tehnoon Raza blog says:
This issue affects the ability of users to browse to and use SharePoint Publishing sites. When browsing to the site, users may experience the following error:
“An Unexpected error has occurred”
Following error is reported in the ULS logs or on the SharePoint page if the “CallStack” attribute of set to “true” in the web.config file:

Method not found: ‘Void Microsoft.Office.Server.WebControls.AudienceLoader.GetAudiencesFetchedDuringPageRequest(System.Collections.Generic.Dictionary`2<System.Guid,Boolean> ByRef, System.Collections.Generic.Dictionary`2<System.String,Boolean> ByRef, System.Collections.Generic.Dictionary`2<System.String,Boolean> ByRef)’.

Issue #2- Unable to Manage User Profile Service Application
the main problem is when you try to open User Profile Service Application , you are getting a “File Not Found” error :

System.IO.FileNotFoundException: Could not load file or assembly ‘Microsoft.ResourceManagement, Version=4.0.2450.34, Culture=neutral, PublicKeyToken=65bf2559ag374f77’ or one of its dependencies. The system cannot find the file specified.    at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.InitializeIlmClient(String ILMMachineName, Int32 FIMWebClientTimeOut)     at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID)     at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.ProfileAdminPage.IsProfileSynchronizationRunning() 

For resolving this problem you can apply the KB article action plan (but this is not solve the problem) :
To do this, follow these steps:

  1. Open Central Administration.
  2. In the System Settings section, click Manage Services
  3. Find User Profile Synchronization Service in the list of services. If its status is Started, click Stop. Click Start, and then provide the credentials to start the User Profile Synchronization service.

After do that may be you need a full reset for Sharepoint Machine. i could say this not resolve your problem even if the problem “file not found” has gone. If you try full syncronization you will notice that FIM service gonna hang on MOSS_EXPORT step with an error of “ma-extention-error” and your users not synced at all.
And you can see the error on your Event Viewer Application Log:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.MissingMethodException: Method not found: ‘Void Microsoft.Office.Server.UserProfiles.ProfileManagerBase.UpdateProfileWithBulkProperties(Int64, System.String, System.String, System.Collections.Hashtable)’. at Microsoft.Office.Server.UserProfiles.ProfileImportExportService.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData) — End of inner exception stack trace — at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at Microsoft.Office.Server.WebServiceDirectProxy.WebMethodInfo.Invoke(Object webServiceInstance, Object[] args) at Microsoft.Office.Server.WebServiceDirectProxy.Invoke(String methodName, Object[] args) at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportDirect.UpdateWithProfileChangeData(Int64 importExportId, ProfileChangeData[] profileChangeData) at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.Microsoft.MetadirectoryServices.IMAExtensibleCallExport.ExportEntry(ModificationType modificationType, String[] changedAttributes, CSEntry csentry) Forefront Identity Manager 4.0.2450.34

Root Cause:
The problem has been caused due to inconsistent assembly versions on the SharePoint servers after the installation of the package KB2560890. Multiple packages were released as part of the security bulletin that affect SharePoint 2010 and all applicable packages must be installed on SharePoint servers to ensure that version inconsistencies are not created in the environment.  However, it has been observed that only KB2560890 was pushed to servers via WSUS, resulting in the SharePoint assemblies being in an inconsistent state and creating dependency issues

Resolution:
Only known resolution yet:
Install SP1 and Lasted CU.
iSP1 + June Cu there are lots of fixes over all included in it, and also from June Cu we have new bits for the FIM agent and some performance improvements.
Anyway, after applying the udpates and patches, you should recreate the UPA as well to gain full functionality of all added fixes.
But don’t forget that the SP1 and Lasted CU has also some known issues . For preventing problems please check the microsoft release documents and blogs in Technet.

Prepare to deploy software updates (SharePoint Server 2010)
http://technet.microsoft.com/hi-in/library/ff806331(en-us).aspx

Sharepoint SP1 and June CU information
http://blogs.msdn.com/b/joerg_sinemus/archive/2011/06/29/sharepoint-2010-sp1-and-post-sp1-june-2011-cu.aspx
https://blog.bugrapostaci.com/2011/06/29/sharepoint-2010-service-pack-1-sp1-and-june-2011-cu-released/

Resources:
http://blogs.msdn.com/b/tehnoonr/archive/2011/09/19/september-security-bulletin-ms11-074-and-sharepoint-2010-issues.aspx
http://support.microsoft.com/kb/2560890
http://social.msdn.microsoft.com/Forums/en-AU/sharepoint2010general/thread/8b4d64ed-5f7b-473b-8121-d7f5b0bb5902

Have a nice patching.

Filed under Sharepoint 2010 Tagged with , , , , ,

Older posts